Cryptosystems

ABSTRACT

Public key cryptosystems derived from a public key base matrix with a public key product matrix generated as the product of private key circulant matrices with the public key base matrix. Matrix elements are taken from a commutative ring. The elements of rows of private key circulant matrices being relatively prime provides security of the trapdoor function for decryption.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims priority from provisional application No.0013 60/467,407, filed May 2, 2003.

BACKGROUND OF THE INVENTION

[0002] The present invention relates to data security and encryption,and more particularly, to public key cryptosystems and methods.

[0003] The widely-used cryptosystem Data Encryption Standard (DES) has asymmetric algorithm which uses the same key for encryption anddecryption on 64-bit blocks of a message. The algorithm basicallyincludes the steps of: apply an initial permutation of the 64-bit block;next, split of the block into left and right 32-bit blocks; combine theright block with 48 bits of the 56-bit key to get 32 new bits andexclusive OR (XOR) with the left block to form a new left block;interchange the left and right blocks to reform a 64-bit block; repeatthe split-combine-XOR-interchange-reform fifteen more times; and lastly,apply an inverse of the initial permutation on the 64-bit block. Thepartition of a message into blocks and the communication of the keybetween participants lead to potential security problems. Otherblock-based encryption methods have the same potential problems.

[0004] Alternatively, a public key cryptosystem usesseparate-but-related encryption and decryption keys: a public key and aprivate key. The public key is used to encrypt messages which can bedecrypted using the private key; thus no communication of a key isneeded. Public key cryptosystems also provide digital signatures inaddition to encryption of messages: the public key is used to decrypt adigital signature which has been encrypted using the private key.However, the known public key cryptosystems are computationallyintensive, and typically must partition a file into smaller blocks(e.g., smaller than the modulus in RSA) which are separately encrypted.

[0005] In fact, digital signatures on documents typically follow atwo-step process: first calculate the message digest of the documentfile with an algorithm, such as MD5, and then encrypt the digest of thedocument file with the private key. To verify the signature firstcalculate the message digest of the (unsigned) document file; next,decrypt the encrypted digest with the public key to get the plaindigest, and then compare these two digests.

[0006] Public key cryptosystems typically rely on the difficulty offactoring a large number into primes or the difficulty of computinglogarithms in finite fields.

[0007] One widely-analyzed public key cryptosystem is RSA which uses twolarge primes, p,q, to define a (public) modulus, n=pq, and a (public)encryption key, e=any random number relatively prime to (p-1)(q-1),together with a private key, d such that de=1 mod((p-1)(q-1)). Theencryption of message m is m^(e) mod(n), and decryption follows fromm=(m^(e))^(d) mod(n). This decryption reflects Euler's extension ofFermat's little theorem which states y^(φ(x))=1 mod (x) for any integersx and y greater than 1 where φ(.) is Euler's phi function. Because n isa product of primes, φ(n)=(p-1)(q-1); and the existence of d such thatde=1 mod(φ(n)) derives from e and φ(n) being relatively prime. Note thatx and y being relatively prime means that the greatest common divisor ofx and y is 1, and this is written gcd(x,y)=1.

[0008] One computational problem with RSA is that the message mexpressed as a positive integer must be smaller than the modulus n. Thustypically large messages are partitioned into blocks of size less thann, and each block is separately encrypted. As with block-based symmetrickey systems, this lessens security. In practice, RSA is only used forkey management (encrypt keys for a session of a computationally-fastersymmetric key system) or digital signatures.

[0009] However, these public key encryption methods have limited use dueto excessive overhead in terms of processor time utilization.

SUMMARY OF THE INVENTION

[0010] The present invention provides a public key cryptosystems basedon circulant matrices over a commutative ring

BRIEF DESCRIPTION OF THE DRAWINGS

[0011]FIG. 1 shows a preferred embodiment cryptosystem construction.

[0012]FIGS. 2a-2 b are flow diagrams for encryption and decryptionpreferred embodiments.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0013] 1. Overview

[0014] Preferred embodiment public key cryptosystems are based on matrixmultiplications over a commutative ring. The public key for encryptionconsists of two matrices, P and G, and the encryption method for amessage matrix, S, first selects two random prime circulant matrices, Xand Y, and then computes the encrypted message as the two matricesC₁=XPY{circumflex over ( )}S and C₂=XGY where {circumflex over ( )}denotes exclusive OR (XOR) on an element-by-element matrix basis andbit-by-bit within the elements expressed in binary; see FIG. 2a. Theprivate key consists of two prime circulant matrices, A and B, whichwere used to form the public key product matrix P from G as P=AGB; G isnonsingular (maximal rank) and commutes only with scalar multiples ofthe identity matrix. FIG. 1 illustrates the key construction.

[0015] Decryption relies on the commutativity of matrix multiplicationof circulant matrices over a commutative ring. In particular, withpublic key P and G plus the received encrypted message matrices C₁ andC₂, recover S as follows: $\begin{matrix}{{A\quad C_{2}{B\hat{}C_{1}}} = {A\quad X\quad G\quad Y\quad {B\hat{}X}\quad P\quad {Y\hat{}S}}} \\{= {A\quad X\quad G\quad Y\quad {B\hat{}X}\quad A\quad G\quad B\quad {Y\hat{}S}}} \\{= {A\quad X\quad G\quad Y\quad {B\hat{}A}\quad X\quad G\quad Y\quad {B\hat{}S}}} \\{= {0\hat{}S}} \\{= S}\end{matrix}$

[0016] where the commutativity of the matrix multiplications ofcirculant matrices AX and YB was used together with the triviality of anXOR of an item with itself; see FIG. 2b.

[0017] The preferred embodiment methods provide one-way trapdoorfunctions which map a data matrix plus two random prime circulantmatrices over a commutative ring into two message matrices. The securityis based on the difficulty of solving a system of multivariatepolynomial equations over a specified commutative ring. The conditionsthat the matrices A, B, X, and Y be prime and that matrix G benonsingular (maximal rank) and commute only with scalars are conditionsrelating to the security of the trapdoor function (discussed in section6 below). Relaxing one or more of these conditions may still yield aviable cryptosystem.

[0018] Preferred embodiment hardware could each include one or moredigital signal processors (DSPs) and/or other programmable devices withstored programs for performance of the processing of the preferredembodiment methods. Alternatively, specialized circuitry (ASICs) couldbe used. The hardware may also contain analog integrated circuits foramplification of inputs to or outputs from networks, wireline andwireless, and conversion between analog and digital; and these analogand processor circuits may be integrated on a single die. The storedprograms may, for example, be in ROM or flash EEPROM integrated with theprocessor or external. Exemplary DSP cores could be in the TMS320C6xxxfamily from Texas Instruments.

[0019] 2. Circulant Matrix Background

[0020] To illustrate a preferred embodiment circulant-matrix-basedpublic key cryptosystem, first consider the following background.

[0021] An N×N matrix whose rows are composed of cyclically shiftedversions of a length-N list L is called a circulant matrix. For example,the 3×3 circulant matrix from the list L={a,b,c} is denoted circ(a,b,c)and given by: ${{circ}\left( {a,b,c} \right)} = \begin{bmatrix}a & b & c \\c & a & b \\b & c & a\end{bmatrix}$

[0022] The list L may be of any type of elements, but the preferredembodiment methods will use elements from a commutative ring,

, such as the integers, the integers modulo a prime, the integers moduloa composite, and so forth.

[0023] The preferred embodiment methods take advantage of the closureand commutativity of matrix multiplication for circulant matrices. Inparticular, consider the matrix product circ(a₀, a₁, . . . , a_(N−1))circ(b₀, b₁, . . . , b_(N−1)). With the subscripts treated modulo N,direct multiplication shows the row m, column n element of the productis Σ_(0≦k≦N−1) a_(k)b_(−m+n−k). Now simultaneously incrementing both mand n leaves each product in the summation unchanged; and thus theproduct is also a circulant matrix. Further, the summation is invariantunder the interchange of a and b because the summation is over allproducts where the sum of the subscripts equals −m+n modulo N, and this,combined with the ring multiplication being commutative(a_(k)b_(−m+n−k)=b_(−m+n−k)a_(k)), implies the matrix multiplication iscommutative for circulant matrices. Note that the summation has the formof a circular convolution.

[0024] An N×N circulant matrix with elements in commutative ring

is called prime if the elements of a row (i.e., the elements of the listgenerating the circulant matrix) have a greatest common divisor (gcd) inthe ring equal to 1 (the multiplicative identity of

); or if

does not have a multiplicative identity, then the gcd of the elements ofa row is not an element of

. The definition of prime circulant matrix extends to various classes ofcommutative rings. The pertinent examples: if

is the ring of integers, then the elements of the list are relativelyprime; if

is a ring (field) of integers modulo a prime, then the elements of thelist are all different; if

is a ring of integers modulo a composite, then the elements of the listare all different; and if

is a Boolean ring, then there is no constraint and all circlant matricesare prime.

[0025] For a given (not necessarily square) matrix G with elements in

, define the coefficient matrix G_(c) as a doubly circulant matrix asfollows. First, let R1, R2, . . . , RN denote the rows of G; next, setM_(R1)=circ(R1), M_(R2)=circ(R2), . . . , M_(RN)=circ(RN); and thendefine G_(c) as circ(M_(R1), M_(R2), . . . , M_(RN)). Thus when G is anN×M matrix, G_(c) is an NM×NM square matrix. For example, with${G = \begin{bmatrix}{g\quad 1} & {g\quad 2} & {g\quad 3} \\{g\quad 4} & {g\quad 5} & {g\quad 6} \\{g\quad 7} & {g\quad 8} & {g\quad 9}\end{bmatrix}},$

[0026] first, the rows are: R1=[g1, g2, g3], R2=[g4, g5, g6], andR3=[g7, g8, g9]; next, ${M_{R1} = \begin{bmatrix}{g\quad 1} & {g\quad 2} & {g\quad 3} \\{g\quad 3} & {g\quad 1} & {g\quad 2} \\{g\quad 2} & {g\quad 3} & {g\quad 1}\end{bmatrix}},{M_{R2} = \begin{bmatrix}{g\quad 4} & {g\quad 5} & {g\quad 6} \\{g\quad 6} & {g\quad 4} & {g\quad 5} \\{g\quad 5} & {g\quad 6} & {g\quad 4}\end{bmatrix}},{{M_{R3} = \begin{bmatrix}{g\quad 7} & {g\quad 8} & {g\quad 9} \\{g\quad 9} & {g\quad 7} & {g\quad 8} \\{g\quad 8} & {g\quad 9} & {g\quad 7}\end{bmatrix}};}$

[0027] and finally: $G_{c} = \begin{bmatrix}{g\quad 1} & {g\quad 2} & {g\quad 3} & {g\quad 4} & {g\quad 5} & {g\quad 6} & {g\quad 7} & {g\quad 8} & {g\quad 9} \\{g\quad 3} & {g\quad 1} & {g\quad 2} & {g\quad 6} & {g\quad 4} & {g\quad 5} & {g\quad 9} & {g\quad 7} & {g\quad 8} \\{g\quad 2} & {g\quad 3} & {g\quad 1} & {g\quad 5} & {g\quad 6} & {g\quad 4} & {g\quad 8} & {g\quad 9} & {g\quad 7} \\{g\quad 7} & {g\quad 8} & {g\quad 9} & {g\quad 1} & {g\quad 2} & {g\quad 3} & {g\quad 4} & {g\quad 5} & {g\quad 6} \\{g\quad 9} & {g\quad 7} & {g\quad 8} & {g\quad 3} & {g\quad 1} & {g\quad 2} & {g\quad 6} & {g\quad 4} & {g\quad 5} \\{g\quad 8} & {g\quad 9} & {g\quad 7} & {g\quad 2} & {g\quad 3} & {g\quad 1} & {g\quad 5} & {g\quad 6} & {g\quad 4} \\{g\quad 4} & {g\quad 5} & {g\quad 6} & {g\quad 7} & {g\quad 8} & {g\quad 9} & {g\quad 1} & {g\quad 2} & {g\quad 3} \\{g\quad 6} & {g\quad 4} & {g\quad 5} & {g\quad 9} & {g\quad 7} & {g\quad 8} & {g\quad 3} & {g\quad 1} & {g\quad 2} \\{g\quad 5} & {g\quad 6} & {g\quad 4} & {g\quad 8} & {g\quad 9} & {g\quad 7} & {g\quad 2} & {g\quad 3} & {g\quad 1}\end{bmatrix}$

[0028] Note that when considered as a 9×9 matrix with elements gk, G_(c)is not circulant.

[0029] 3. Circulant Matrix-Based One-Way Trapdoor Function

[0030] The preferred embodiment encryption methods use a one-waytrapdoor function that maps N×M base matrix G to N×M product matrixP=AGB where the matrix elements are elements of a commutative ring

. Given G and P, it is difficult to recover A and B when the followingconditions apply: (i) G is a non-singular matrix (has maximal rank) andcommutes only with itself and with scalars (i.e., diagonal matrices withthe diagonal element an element of the ring) and (ii) A is N×N and B isM×M and both are prime circulant matrices with elements in

.

[0031] This trapdoor function is unusual in the sense that there arealways (m+1) sets of matrices (A′, B′) which will satisfy P=A′GB′ wherem is the number of invertible elements of

, not counting the identity. In particular, if P=AGB and A′=Ax plusB′=Bx⁻¹ where x is an invertible element of

. (Ax indicates multiplication of each element of A by x which isequivalent to matrix multiplication by a diagonal matrix with alldiagonal elements equal to x), then A′GB′=AxG Bx⁻¹=AxGx⁻¹B=AGxx⁻¹B=AGB=P.

[0032] The converse is also true: if A′GB′=AGB, then there exists aninvertible element, x, such that A′=Ax and B′=Bx⁻¹. This uniqueness of Aand B up to multiplication by invertible elements (units) follows fromthe properties of G, A, and B. Explicitly, presume A′GB′=AGB and leftand right multiply by the inverse matrices A⁻¹ and B⁻¹ to haveG=A⁻¹A′GB′B⁻¹. But G only commutes with scalars, so A⁻¹A′ and B′B⁻¹ areboth scalars (i.e., diagonal matrices with the diagonal matrix elementsall equal to an element of the ring); so without loss of generality takeA⁻¹A′=x and B′B⁻¹=y. Hence, G=x G y. But scalars commute with G and G isnon-singular (has maximal rank) which allows cancellation, so thescalars must be inverses: y=x⁻¹. That is, A′=Ax and B′=Bx⁻¹.

[0033] Some examples: First, when the commutative ring is the set ofintegers with the usual operations, there are only two invertibleelements, 1 and −1, and thus there will be two solutions: (A, B) and(−A, −B).

[0034] Next, when the commutative ring is the set of integers modulo aprime, p, the ring is Galois field, GF(p), and all non-zero elements areinvertible and there will be p-1 solutions. Thus the problem to find (A,B) will reduce to one variable less than the number of variablesactually used to formulate A and B; namely, 2N−1. Indeed, let A=circ(a1,a2, . . . ,aN), B=circ(b1, b2, . . . , bN), A′=circ(a1′, a2′, . . .,aN′), and B′=circ(b1′, b2′, . . . , bN′). Now presume the a1, a2, . . ., aN and b1, b2, . . . , bN are fixed. Next, without loss of generalityassign an arbitrary value λ to a1′, then A′=Ax implies a1′=λ=a1 x andthus x=λa1⁻¹. Hence, a2′=a2 x=a2λa1⁻¹, a3′=a3x=a3λa1⁻¹, . . . , aN′=aNx=aN λa1⁻¹, and similarly: b1′=b1 x⁻¹=b1λ⁻¹ a1, b2′=b2x⁻¹=b2λ⁻¹a1, . . ., bN′=bNx⁻¹=bNλ⁻¹a1. Hence, the number of variables is the same.

[0035] Lastly, when the commutative ring is the set of integers modulo acomposite, n, the number of non-zero invertible elements equals φ(n)where φ(.) is Euler's phi function.

[0036] 4. Circulant Matrix-Based Key Agreement

[0037] The key agreement between two parties is as follows, and can beextended to more than two parties. Begin with public N×M matrix G, whichhas elements from commutative ring

. Initially, Party1 selects secret N×N matrix A₁ and secret M×M matrixB₁, which are circulant with elements in commutative ring

, and then computes P₁=A₁GB₁ and sends (G, P₁) to Party2. Party2 gets(G, P₁) and selects secret N×N matrix A₂ and secret M×M matrix B₂, whichare circulant with elements in commutative ring

, and then computes P₂=A₂ G B₂ and sends (G, P₂) to Party1. Then Party1computes S=A₁P₂B₁ and Party2 computes S=A₂P₁B₂; S is the shared secretfor encryption. Note that the commutativity of matrix multiplication ofcirculant matrices allowed the two different computations to give thesame S.

[0038] 5. Circulant Matrix-Based Public Key Cryptosystems

[0039] Preferred embodiment encryption and decryption use the foregoingcirculant matrix-based processing as follows. Presume an N×M base matrixG with matrix elements in a commutative ring

, G may satisfy conditions such as be nonsingular (have maximal rank)and have limited commutation and generate a coefficient matrix not ofmaximal rank.

[0040] Party1 creates a public key with the following steps: (1) selectsecret N×N matrix A and secret M×M matrix B, where both A and B arecirculant matrices with elements in the commutative ring

, and both may be prime circulant matrices (see section 6); (2) computeP=AGB; and (3) publish (G, P) with

implicit as a public key for encryption; the private key consists of thetwo secret circulant matrices (A, B).

[0041] Party2 can encrypt a message for Party1 by the steps of: (1)format the plaintext message as an N×M matrix, S, with elements in thecommutative ring

where the ring elements are represented in binary; (2) select random N×Nmatrix X and random M×M matrix Y, where both X and Y are circulantmatrices with elements in the commutative ring

, and (3) compute the encrypted message as the two N×M matricesC₁=XPY{circumflex over ( )}S and C₂=XGY where {circumflex over ( )}denotes exclusive OR (XOR) computed element-by-element in the matricesand bit-by-bit within each matrix element which is a ring elementrepresented in binary. Note that the XOR is computed after the matrixmultiplications.

[0042] Party1 decrypts the encrypted message by the steps: (1) multiplythe received encrypted message matrix C₂ with the private key matrices Aand B, and then (2) perform exclusive OR of the product with receivedencrypted matrix C₁ to recover S: $\begin{matrix}{{A\quad C_{2}{B\hat{}C_{1}}} = {A\quad X\quad G\quad Y\quad {B\hat{}X}\quad P\quad {Y\hat{}S}}} \\{= {A\quad X\quad G\quad Y\quad {B\hat{}X}\quad A\quad G\quad B\quad {Y\hat{}S}}} \\{= {A\quad X\quad G\quad Y\quad {B\hat{}A}\quad X\quad G\quad Y\quad {B\hat{}S}}} \\{= {0\hat{}S}} \\{= S}\end{matrix}$

[0043] where the commutativity of the circulant matrix multiplicationsAX and YB was used together with the triviality of the XOR of an itemwith itself.

[0044] This preferred embodiment encryption/decryption method can beillustrated with the following simple example. Take the commutative ringto be the integers modulo 35; 35=5*7 is a composite integer. Take${G = \begin{bmatrix}7 & 2 \\23 & 3\end{bmatrix}};$

[0045] note that G is nonsingular but that the 4×4 coefficient matrixgenerated by G, G_(c), has determinant equal to 0; this helps securityas described in the following section 6.

[0046] For the Party1 private key matrices take${A_{1} = {{\begin{bmatrix}13 & 11 \\11 & 13\end{bmatrix}\quad {and}\quad B_{1}} = \begin{bmatrix}15 & 17 \\17 & 15\end{bmatrix}}},$

[0047] and for Party2 take $A_{2} = {{\begin{bmatrix}11 & 2 \\2 & 11\end{bmatrix}\quad {and}\quad B_{2}} = {\begin{bmatrix}2 & 3 \\3 & 2\end{bmatrix}.}}$

[0048] Party1 computes$P_{1} = {{A_{1}G\quad B_{1}} = \begin{bmatrix}3 & 13 \\27 & 27\end{bmatrix}}$

[0049] and Party2 computes $P_{2} = {{A_{2}{GB}_{2}} = {\begin{bmatrix}15 & 5 \\15 & 0\end{bmatrix}.}}$

[0050] (P₁, G) and (P₂, G) are the published public keys for Party1 andParty2, respectively. Note that this G commutes with scalars and with$\begin{bmatrix}4 & 2 \\23 & 0\end{bmatrix},$

[0051] but not with any of A₁, B₁, A₂, and B₂.

[0052] Party1 computes S₁=A₁P₂B₁ and Party2 computes S₂=A₂P₁B₂; both S₁and S₂ are equal to $\begin{bmatrix}10 & 30 \\10 & 20\end{bmatrix},$

[0053] and this is the shared secret.

[0054] A third party encrypts a message (in 2×2 matrix S format) forParty1 by first select random 2×2 circulant matrices,${X = {{\begin{bmatrix}17 & 2 \\2 & 17\end{bmatrix}\quad {and}\quad Y} = \begin{bmatrix}3 & 2 \\2 & 3\end{bmatrix}}};$

[0055] then compute C₁=XP₁Y{circumflex over ( )}S and C₂=XGY. Let${S = \begin{bmatrix}25 & 28 \\28 & 5\end{bmatrix}},$

[0056] so: $C_{1} = {{\begin{bmatrix}25 & 20 \\20 & 5\end{bmatrix}\bigwedge\begin{bmatrix}25 & 28 \\28 & 5\end{bmatrix}} = {{\begin{bmatrix}0 & 8 \\8 & 0\end{bmatrix}\quad {and}\quad C_{2}} = {\begin{bmatrix}15 & 30 \\30 & 30\end{bmatrix}.}}}$

[0057] Then the third party sends (C₁, C₂) to Party1 as the encryptionof message S.

[0058] Party1 decrypts by computing: $\begin{matrix}{{A_{1}C_{2}{B_{1}\bigwedge C_{1}}} = {{{\begin{bmatrix}13 & 11 \\11 & 13\end{bmatrix}\begin{bmatrix}15 & 30 \\30 & 30\end{bmatrix}}\begin{bmatrix}15 & 17 \\17 & 15\end{bmatrix}}\bigwedge\begin{bmatrix}0 & 8 \\8 & 0\end{bmatrix}}} \\{= {\begin{bmatrix}25 & 20 \\20 & 5\end{bmatrix}\bigwedge\begin{bmatrix}0 & 8 \\8 & 0\end{bmatrix}}} \\{= \begin{bmatrix}25 & 28 \\28 & 5\end{bmatrix}}\end{matrix}$

[0059] which recovers S. Note that the bit-by-bit XOR of 20 and 8 is theXOR of 10100 and 01000 which equals 11100=28.

[0060] 6. Security

[0061] This section discusses the security of the preferred embodimenttrapdoor function for various commutative rings and matrix conditions.

[0062] (a) The Ring GF(p)

[0063] The commutative ring of integers modulo a (large) prime, p, isthe finite (Galois) field GF(p), and all non-zero elements have inverses(are units) and thus divide every other element.

[0064] The security of many recently proposed cryptosystems is based onthe difficulty of solving a system of quadratic multivariate polynomialequations which is NP-hard over any field. There are quite a fewalgorithms for solving a system of multivariate polynomial equationsmodulo a large prime, including the Grobner bases technique and thehomotopy method. However, all of these algorithms have very largeexponential complexity in the number of variables. Thus, the preferredembodiments select an N×M base matrix G whose rows are elements of GF(p)in such a way that the NM×NM coefficient matrix, G_(c), derived from Ghas rank NM−min(N,M)+1. This implies any attack based on Gauss reductionof the coefficient matrix would not work.

[0065] For example, analyze the 3×3 problem as follows. LetA=circ(a,b,c) and B=circ(d,e,f) and take 3×G so such that 9×9 G_(c) hasrank 3² −3+1=7. Then the product matrix P=AGB is expressed as:$\begin{bmatrix}{p11} & {p12} & {p13} \\{p21} & {p22} & {p23} \\{p31} & {p32} & {p33}\end{bmatrix} = {{\begin{bmatrix}a & b & c \\c & a & b \\b & c & a\end{bmatrix}\begin{bmatrix}{g11} & {g12} & {g13} \\{g21} & {g22} & {g23} \\{g31} & {g32} & {g33}\end{bmatrix}}\begin{bmatrix}d & e & f \\f & d & e \\e & f & d\end{bmatrix}}$

[0066] Now rewrite this matrix equation in the following form. DefineF(A,B)=AGB−P, so the equation is F(A,B)=0 where 0 is the 3×3 nullmatrix. Now the matrix elements of F depend bilinearly upon the sixvariables defining A and B as follows. First, label the matrix elementsas: ${F\left( {A,B} \right)} = \begin{bmatrix}{F1} & {F2} & {F3} \\{F4} & {F5} & {F6} \\{F7} & {F8} & {F9}\end{bmatrix}$ so:F1(a, b, c, d, e, f) = (a * g11 + b * g21 + c * g31) * d + (a * g12 + b * g22 + c * g32) * f + (a * g13 + b * g23 + c * g33) * e − p11F2(a, b, c, d, e, f) = (a * g11 + b * g21 + c * g31) * e + (a * g12 + b * g22 + c * g32) * d + (a * g13 + b * g23 + c * g33) * f − p12F3(a, b, c, d, e, f) = (a * g11 + b * g21 + c * g31) * f + (a * g12 + b * g22 + c * g32) * e + (a * g13 + b * g23 + c * g33) * d − p13F4(a, b, c, d, e, f) = (c * g11 + a * g21 + b * g31) * d + (c * g12 + a * g22 + b * g32) * f + (c * g13 + a * g23 + b * g33) * e − p21F5(a, b, c, d, e, f) = (c * g11 + a * g21 + b * g31) * e + (c * g12 + a * g22 + b * g32) * d + (c * g13 + a * g23 + b * g33) * f − p22F6(a, b, c, d, e, f) = (c * g11 + a * g21 + b * g31) * f + (c * g12 + a * g22 + b * g32) * e + (c * g13 + a * g23 + b * g33) * d − p23F7(a, b, c, d, e, f) = (b * g11 + c * g21 + a * g31) * d + (b * g12 + c * g22 + a * g32) * f + (b * g13 + c * g23 + a * g33) * f − p31F8(a, b, c, d, e, f) = (b * g11 + c * g21 + a * g31) * e + (b * g12 + c * g22 + a * g32) * d + (b * g13 + c * g23 + a * g33) * f − p32F9(a, b, c, d, e, f) = (b * g11 + c * g21 + a * g31) * f + (b * g12 + c * g22 + a * g32) * e + (b * g13 + c * g23 + a * g33) * d − p33

[0067] where * denotes multiplication in GF(p).

[0068] Each of the 9 equations Fj(a,b,c,d,e,f)=0 has (p-1)⁵ solutionsout of which (p-1) will satisfy F(A,B)=0. As shown in the foregoing, onevariable can be assigned an arbitrary value. Thus presume a is constantin the 9 equations, then each equation will have (p-1)⁴ solutions out ofwhich one will satisfy F(A,B)=0. So in practice a cryptanalyst cannotresort to an exhaustive search. A and B prime avoids degenerate cases.

[0069] The foregoing system of 9 equations can be simplified to anothersystem of equations in three variables by applying Cramer's rule becausethe foregoing is linear in d,e,f. Thus separately solve for d,e,f fromeach of the three sets of equations {F1=0, F2=0, F3=0}, {F4=0, F5=0,F6=0}, and {F7=0, F8=0, F9=0}. This gives three solutions for each ofd,e,f (in terms of a,b,c), and then equate the three solutions for eachof d,e,f and solve them by assigning a an arbitrary value. To solve thisreduced system requires solving the non-linear equation in twovariables, b,c, of degree three that will have only one solution asshown above. G was taken such that G_(c) is of rank 7, thus solving byGauss Reduction would require that 9−7=2 variables be taken arbitrarily.But the system reduces to only two variables, b,c; thus using GaussReduction does not give any advantage.

[0070] Gauss-Reduction could be applied on the system. After rearrangingthe system of equations becomes: $\begin{bmatrix}{F1} \\{F2} \\{F3} \\{F4} \\{F5} \\{F6} \\{F7} \\{F8} \\{F9}\end{bmatrix} = {{{\begin{bmatrix}{g11} & {g12} & {g13} & {g21} & {g22} & {g23} & {g31} & {g32} & {g33} \\{g13} & {g11} & {g12} & {g23} & {g21} & {g22} & {g33} & {g31} & {g32} \\{g12} & {g13} & {g11} & {g22} & {g23} & {g21} & {g32} & {g33} & {g31} \\{g31} & {g32} & {g33} & {g11} & {g12} & {g13} & {g21} & {g22} & {g23} \\{g33} & {g31} & {g32} & {g13} & {g11} & {g12} & {g23} & {g21} & {g22} \\{g32} & {g33} & {g31} & {g12} & {g13} & {g11} & {g22} & {g23} & {g21} \\{g21} & {g22} & {g23} & {g31} & {g32} & {g33} & {g11} & {g12} & {g13} \\{g23} & {g21} & {g22} & {g33} & {g31} & {g32} & {g13} & {g11} & {g12} \\{g22} & {g23} & {g21} & {g32} & {g33} & {g31} & {g12} & {g13} & {g11}\end{bmatrix}\quad\left\lbrack \quad \begin{matrix}{a*d} \\{a*f} \\{a*e} \\{b*d} \\{b*f} \\{b*e} \\{c*d} \\{c*f} \\{c*e}\end{matrix}\quad \right\rbrack} - \left\lbrack \quad \begin{matrix}{p11} \\{p13} \\{p12} \\{p31} \\{p33} \\{p32} \\{p21} \\{p23} \\{p22}\end{matrix} \right\rbrack} = 0}$

[0071] where again * denotes multiplication in GF(p).

[0072] Thus the 9 variables a*d, a*f, a*e, b*d, b*f, . . . can be solveduniquely by Gauss-Reduction if the coefficient matrix is non-singular.But the coefficient matrix is just G_(c), and G was taken so that G_(c)is singular with rank 7 (=NM−min(N,M)+1), and thus Gauss-Reduction doesnot work.

[0073] Hence, for an N×N matrix the quadratic system will reduce to asystem of equations in N−1 variables of degree N. But for large N,finding the base matrix G such that the coefficient matrix G_(c) is ofrank NM−min(N,M)+1 is not easy. But if the prime p is on the order of 64bits, then taking the base matrix G such that the coefficient matrixG_(c) is of rank NM−2 is not difficult because this only requiressolution of a system of equations in two variables which can be solvedby any of the known methods. Since in this case the security is on theorder of 2¹²⁸ trials (because two variables are arbitrary) againstsolution by Gauss Reduction, the rank NM−min(N,M)+1 criterion need notbe satisfied. But for smaller primes the rank NM−min(N,M)+1 criterionneeds to be approached. To address current security requirements, thematrix dimension should be at least 8×8 with 64-bit primes and rankG_(c)=64−2=62. Since the system of quadratic equations will have 15variables, the Grobner bases technique or the homotopy method willrequire complexity of the order of more than 2¹²⁸ ring operations.

[0074] (b) The Ring Z_(n) with n=pq

[0075] The commutative ring of integers modulo a large composite, n=pq,with p and q primes, is denoted Z_(n); note that Z_(n) has zerodivisors, e.g., p*q=0.

[0076] The security of many current cryptosystems, including RSA, isbased on the difficulty of factoring a large composite integer into itscomponent primes. This problem has been assumed to be hard for some timein the cryptographic literature. A preferred embodiment cryptosystemselects an N×M base matrix, G, whose rows are elements of Z_(n) and suchthat the corresponding NM×NM coefficient matrix, G_(c), has adeterminant equal to 0 (in Z_(n)). Thus any attack based on Gaussianreduction of the coefficient matrix would not work and because n is solarge that taking one variable arbitrary would not be practical. Exceptfor the case of a 2×2 base matrix, every dimension from 3×2 and higherfor the base matrix is secure. For the case of a 2×2 base matrixPollard's heuristic can solve the underlying quadratic equations.

[0077] Consider the analysis of a 3×2 base matrix explicitly: Take$G = \begin{bmatrix}{g1} & {g2} \\{g3} & {g4} \\{g5} & {g6}\end{bmatrix}$

[0078] with rank 2 such that $G_{c} = \begin{bmatrix}{g1} & {g2} & {g3} & {g4} & {g5} & {g6} \\{g2} & {g1} & {g4} & {g3} & {g6} & {g5} \\{g5} & {g6} & {g1} & {g2} & {g3} & {g4} \\{g6} & {g5} & {g2} & {g1} & {g4} & {g3} \\{g3} & {g4} & {g5} & {g6} & {g1} & {g2} \\{g4} & {g3} & {g6} & {g5} & {g2} & {g1}\end{bmatrix}$

[0079] has a determinant equal to 0 (modulo n). Then for${A = {{\begin{bmatrix}a & b & c \\c & a & b \\b & c & a\end{bmatrix}\quad {and}\quad B} = \begin{bmatrix}d & e \\e & d\end{bmatrix}}},$

[0080] calculate $P = {\begin{bmatrix}{p1} & {p2} \\{p3} & {p4} \\{p5} & {p6}\end{bmatrix} = {{\begin{bmatrix}a & b & c \\c & a & b \\b & c & a\end{bmatrix}\quad\begin{bmatrix}{g1} & {g2} \\{g3} & {g4} \\{g5} & {g6}\end{bmatrix}}\quad\begin{bmatrix}d & e \\e & d\end{bmatrix}}}$

[0081] where the multiplications and additions are all modulo n.

[0082] It is difficult to find A and B given n, G, and P. Solving thisproblem is as difficult as factoring n. Using Cramer's rule reduces thissystem of six (actually five linearly independent) quadratic equationsin five variables to either a system of four polynomial equations ofdegree two in three variables or a system of three polynomial equationsof degree three in two variables, depending upon which set of variables(either (a,b,c) or (d,e)) are used. This G dimension 3×2 leads tosystems sufficiently difficult to solve to withstand present daysecurity requirements (A. Shamir, On the Generation of MultivariatePolynomials which are Hard to Factor, Proceedings of the 25^(th) annualACM Symposium of Theory of Computing (San Diego 1993) has a generaldiscussion). Further, the 3×2 base matrix preferred embodiment onlyrequires 36 multiplications and is much faster than those cryptosystemsbased on exponentiation. But the size of the preferred embodiment publickey is six (five if the linear dependence of p1, p2, . . . , p6 is alsopublished) times those based on exponentiation. This is a tradeoff withthe preferred embodiment over Z_(n).

[0083] (c) The Ring of Integers Z

[0084] The ring of integers, Z, is an integral domain with only 1 and −1as invertible elements. The same analysis as in the foregoingsubsections applies: the matrix equations to find A and B given G and Pare NP-hard and Cramer's rule converts the problem into solving a systemof multivariate polynomial equations with the coefficient matrix G_(c).There are quite a few algorithms for solving over the ring of integersincluding the Grobner bases technique. All of these algorithms have verylarge exponential complexity in the number of variables. One advantageof taking the preferred embodiment ring to be the integers is in thepublic key encryption where the size of the encrypted data will be onlyapproximately 1.5 times the plaintext size instead of 2 times theplaintext as in the foregoing two subsections, if the size of the basematrix elements is small. Since 1 and −1 are the only invertibleelements, G need not be taken so that the determinant of G_(c) equals 0if the elements of G are large. To solve the system through GaussianReduction one needs to try all of the factors.

[0085] (d) The Ring is Boolean

[0086] The set of integers, expressed in binary, with the additionoperation as XOR bit-by-bit and the multiplication operation as ANDbit-by-bit form a Boolean ring with the additive identity having all 0bits and the multiplicative identity having all 1 bits. The preferredembodiment trapdoor function again analyzes as in the foregoingsubsections, but there is insufficient analysis of the Boolean ring toassess security currently.

[0087] 7. Modifications

[0088] The preferred embodiments may be varied while retaining thefeature of a cryptosystem generated from a base matrix plus twocirculant matrices with matrix elements from a commutative ring.

[0089] For example, various conditions on the matrices can be imposed tohelp security of the cryptosystem; including conditions on the rank ofthe base matrix and its coefficient matrix, and so forth. The relaxationof non-commutative criteria of private key with the base matrix willmake the system insecure.

What is claimed is:
 1. A method of public key encryption, comprising:(a) providing circulant matrices X and Y; and (b) computing matricesC₁=XPY{circumflex over ( )}S and C₂=XGY, where S is a matrix ofinformation to be encrypted, {circumflex over ( )} denotes exclusive OR,and matrices G and P form a public key; (c) wherein the matrices C₁ andC₂ are an encryption of S.
 2. The method of claim 1, wherein: (a) theelements of the matrices X, P, Y, G, and S are integers.
 3. The methodof claim 2, wherein: (a) the elements of each row of matrix X have agreatest common divisor equal to 1; and (b) the elements of each row ofmatrix Y have a greatest common divisor equal to
 1. 4. The method ofclaim 1, wherein: (a) the elements of the matrices X, P, Y, G, and S areintegers modulo a prime.
 5. The method of claim 4, wherein: (a) theelements of each row of matrix X are all different; and (b) the elementsof each row of matrix Y are all different.
 6. The method of claim 1,wherein: (a) the elements of the matrices X, P, Y, G, and S are integersmodulo a composite.
 7. The method of claim 6, wherein: (a) the elementsof each row of matrix X are all different; and (b) the elements of eachrow of matrix Y are all different.
 8. The method of claim 1, wherein:(a) the elements of the matrices X, P, Y, G, and S are Boolean.
 9. Apublic key, comprising: (a) matrices P and G, where P=AGB with matricesA and B being circulant; (c) whereby the matrices C₁ and C₂ are anencryption of S for C₁=XPY{circumflex over ( )}S and C₂=XGY, with{circumflex over ( )} denoting exclusive OR and X and Y circulantmatrices.
 10. The cryptosystem of claim 9, wherein: (a) the elements ofthe matrices X, P, Y, G, A, B, and S are members of a commutative ring.11. A method of public key decryption, comprising: (a) for an input ofmatrices C₁ and C₂ which encrypt a matrix S, computing the matrixAC₂B{circumflex over ( )}C₁ where {circumflex over ( )} denotesexclusive OR, and matrices A and B are circulant and relate to publickey matrices P and G by P=AGB with public key matrices P and G used incomputation of input matrices C₁ and C₂.
 12. The method of claim 11,wherein: (a) said computation of input matrices C₁ and C₂ in step (a) ofclaim 11 is by selection of circulant matrices X and Y, and computationC₁=XPY{circumflex over ( )}S and C₂=XGY.
 13. The method of claim 11,wherein: (a) the elements of the matrices A, P, B, G, and S areintegers.
 14. The method of claim 13, wherein: (a) the elements of eachrow of matrix A have a greatest common divisor equal to 1; and (b) theelements of each row of matrix B have a greatest common divisor equalto
 1. 15. The method of claim 11, wherein: (a) the elements of thematrices A, P, B, G, and S are integers modulo a prime.
 16. The methodof claim 15, wherein: (a) the elements of each row of matrix A are alldifferent; and (b) the elements of each row of matrix B are alldifferent.
 17. The method of claim 11, wherein: (a) the elements of thematrices A, P, B, G, and S are integers modulo a composite.
 18. Themethod of claim 17, wherein: (a) the elements of each row of matrix Aare all different; and (b) the elements of each row of matrix B are alldifferent.
 19. The method of claim 11, wherein: (a) the elements of thematrices A, P, B, G, and S are Boolean.
 20. The method of claim 11,wherein: (a) matrix G generates a singular coefficient matrix.